OSINT — Beginner’s Guide (Part 1)
Tools and techniques to get you started
What does OSINT stand for, anyway?
OSINT (Open Source Intelligence) is the practice of gathering public, open-source information. It is used in many different fields by various professionals:
- Journalism & NGOs: for investigation and fact-checking
- Human Resources: for background checks on potential candidates
- Financial institutions: as part of the due diligence process, before entering a new contract
- Insurances: to assess potential customers and investigate claims
- Law enforcement and private detectives: to find new evidence, connect criminal activity to a person of interest, or investigate someone
- Cybersecurity companies / consultants: to perform penetration testing on companies or investigate a malicious actor
- …
Unfortunately, OSINT is also used by malicious actors, such as black-hat hackers and ransomware groups, to prepare their attack on a specific target.
When people refer to OSINT, many of them think of online intelligence gathering in the Clear Web. But as anyone can go on the Deep Web, provided they have the right tools and environment, it can also be considered open source. Similarly, many offline tools are openly and publicly available too (your local library would be a good example).
If you think of it, you’ve probably already practiced OSINT yourself. Have you ever Googled yourself, or a potential employer? Searched on a specific subject for school? Then you’ve already performed a basic OSINT investigation!
This article will provide an introduction to the fascinating world of open source intelligence by giving you a few basic tools. Don’t hesitate to try them as you read; that way, you will have an idea of how much information an OSINT investigator could find about you!
Table of contents
- Find out where a picture was taken
- Unmask the owner of a website
- Retrieve someone’s email address
- Conclusion
Disclaimer: This article is for educational purposes only. The author cannot be held liable for any illegal activity or stupid prank resulting from the (mis)use of tools and techniques described in this article. Please be nice.
Find out where a picture was taken
IMINT or imagery intelligence techniques can be used for all kinds of investigations, for example by journalists trying to assess the validity of a piece of evidence or private investigators attempting to retrace someone’s footsteps. New tools for imagery analysis appear every day, and some of them require advanced technical skills.
But even simple IMINT and SOCMINT (social media intelligence) techniques can give good results, and in many cases will be enough for you to find out where a picture was taken.
Tools & Techniques:
- EXIF data retrieval: metadata2go, Exiftool, Preview on Mac OS
- GPS location: Google Maps
- Reverse image search: Google images, tineye, Yandex
- Image enhancement: MyHeritage, Let’s Enhance, InVID & WeVerify Chrome extension
- Social media intelligence (SOCMINT)
Look for the EXIF data
This should always be your first step.
When someone takes a picture with a phone or a digital camera, additional tags might get attached to it. These are not visible on the picture itself but stored inside the picture file, in a specific format called EXIF. EXIF data can include the date and GPS location, indicating exactly when and where the photo was taken, as well as information on the device used.
If the photo is posted without removing this EXIF data (on a blog, a website or in a conversation on an instant messaging app), this information can be found pretty easily, with online tools like metadata2go or dedicated programs like Exiftool. If you have a Mac, you can also simply open the picture in the Preview app. All the stored geolocation data will be accessible from the “Tools” menu, by clicking “Show Inspector”.
To use metadata2go, simply download the image and drag and drop it.
If the EXIF data was still enclosed in the picture file, you should see something like this:
Most of the time, the location data is going to be stored as GPS coordinates; a quick search using Google Maps will give you the actual location. Just enter the coordinates in the search bar. Make sure to respect the proper formatting, like in the example below.
Note that most social networks will automatically strip EXIF data from pictures, but that this is not the case for instant messaging applications like WhatsApp.
Look for landmarks and recognizable features
This will require you to perform a reverse image search.
Use a search engine (google images, tineye, but also Yandex, Google’s Russian counterpart) to reverse search a picture and get an idea of where it was taken.
While your search may not return the exact same picture, the suggestions can provide you with an answer. Is there a landmark, a monument, a particular view of a city? Can you spot similar features between your picture and the results from the search engine?
Obviously, this works better for pictures of a location or a landscape.
If you’re investigating a selfie, you can still extract useful information simply by paying close attention to what’s in the background.
Is there a road sign, or a storefront? Can you read what it says? Sometimes, simply googling that information along with descriptive search terms (“mountains”, “ruins”, “lama”) can do wonders (try it!).
Finally, keep in mind that reverse image search engines work best with high-quality pictures. If your photo is low-quality, you’ll want to enhance it as much as possible before running it through any search tool (but NOT before extracting the EXIF data!). There are a number of online websites or applications that will do that for you, such as MyHeritage or Let’s Enhance, available for limited use on free trial.
Alternatively, you can use the all-in-one InVID & WeVerify browser extension on Chrome, which combines picture enhancing and reverse search engine tools.
On social media, look for tags and comments
Sometimes, you don’t need to look further than the comment section.
Just because someone is careful enough not to post their actual location doesn’t mean that their friends or followers will be as considerate. Scroll down, and see what people have to say about the picture. It can go from a friend saying: “Reminds me of my time there last summer” (guess whose feed you’re going to check then) to people giving away the location in plain text. Sometimes, the photo may not have a landmark or anything recognizable in it, but another person may be tagged, because they were there too; check out their profile and see if they posted their own photo of that moment and provided more details or tags.
In SOCMINT investigations, your answer is often one click away from the profile of your original “target”. Figuring out who their closest contacts are can open up a whole world of new opportunities to get answers.
Unmask the owner of a website
Establishing a link between a particular individual and an online business can be crucial for successfully conducting law enforcement operations or investigative journalism. You may also want to verify a company you’re about to hire for a specific work. While there are many ways for people to hide their involvement with a website, it doesn’t mean you can’t try!
Tools & Techniques:
- Website search
- Domain registry: icann.org
- Social media and advanced Google search: Google Dorking
- History of a webpage: Wayback Machine
- Reverse IP look up and IP history: viewdns.info
Search the Website
First, begin your search by inspecting the website itself. Websites often have an “About” page or “Contact us” page that could provide the name of the owner or at least someone from the company, which would give you a starting point to continue your research.
If the website has a privacy policy, you can have a look and see if the corporate name and address of the company is mentioned. This name may be completely different from that of the website, because it could the parent company of the one you’re investigating. You can then cross-check this name with publicly-available commercial registries and records. Depending on which country the company is based in, you may find the name of at least one of the company’s owner there. This person may or may not be the website owner, but again, it’s a great starting point.
Try the Icann Lookup
When someone registers a domain, they have to provide a name and address to the domain name registrar — this would be GoDaddy or a similar company. This information is publicly available and can be searched with tools like the Icann Lookup.
Here is an example with “Amazon.com”:
With Icann, you can find the country, name, address, phone number, and email of the website registrant — here, “Amazon Legal Dept”.
Note that some hosting companies offer their customers the possibility to hide their name and address for a small fee. If that’s the case, you’ll find either the mention “Redacted” or “Not available”, and the listed country will be that of the web hosting company.
Use search engines and social media
If the Icann registry does not yield satisfactory results, you can Google the name of the website and search for a presence on social media; try to find which accounts interact with the page the most (liking, sharing, commenting), as these will probably belong to the owner of the website, or in case of a company, to employees. Then, explore what you can find in relation to the accounts’ usernames; people tend to keep the same usernames across platforms, so there’s a good chance you’ll be able to make progress this way.
If the website belongs to a company, start by looking at the company’s LinkedIn page for someone in the IT or com/marketing department, as these employees will often maintain the website.
You could use Google Dorking to make your Google search easier. Google dork operators can be used to optimize your searches and make them more precise and efficient.
Go back in time with The Wayback Machine
The Wayback Machine is a wonderful tool that allows you to see former versions of a website. Pretty neat, huh?
Although the aim of this tool is to create an archive of the Internet, so to speak, it’s pretty useful for OSINT investigations. You can search your website, click on the calendar view, and look at all changes that were made on it and recorded by the Machine.
So if the website owner put his name in the contact page or somewhere else at some point, the Wayback Machine will let you see it, even though it’s been erased.
Of course, the Wayback Machine can only show you what was happening on a domain in the past, without discriminating between owners. So if the domain name was taken over multiple times, it’s entirely possible that the information you find does not pertain to the current owner you’re investigating.
Last or first, but not least: try viewdns.info
Depending on your investigation, you may want to go directly for this tool, or save it for last. Viewdns.info is an all-in-one service that provides information and reports on DNS settings but also many resources for research on IP addresses and domain names that can be useful for different types of investigation.
To find the owner of a particular domain, you can either do a Reverse IP lookup or a IP History search.
- The Reverse IP Lookup will let you know how many sites are associated with a single server. Enter the domain of your website and find what other sites are on the same server. If the website is privately hosted, you may find other sites listed here that could give you more info on your owner.
- The IP History will list all previous IP addresses associated with a domain, along with the name of the registrant. Used in conjunction with the Wayback Machine, it’s a powerful tool that can help you decide how far back you need to investigate — and save you a lot of time!
Retrieve someone’s email address
Retrieving someone’s email address may be useful when conducting any kind of OSINT investigation, or during a pentest. Perhaps you need to connect someone to an address that is linked to criminal activity, or you need to assess how easy it would be for an attacker to spearphish key people within an organization. Either way, there are many techniques that can be used, and your success will mostly depend on how much time you have at your disposal.
Tools and techniques:
- Google search and social media search tools
- Domain registry: Icann
- Social media intelligence
- Webpage search
- Google advanced search: Google Dorking
- Human intelligence (HUMINT) & social engineering (SE)
Google your target
Start from the beginning. There is no need to invest time and effort in more complex techniques if the information is readily available.
Do a thorough Google search on your target, and pay particular attention to the following:
- Do they have a blog or website attached to their name? Their email address may be in their intro, or on the contact page. If not, looking up the registrant name for their domain on Icann is always worth a try.
- Are they on social media? The email address may be part of their bio or intro (on LinkedIn in particular), or they may have sent it to someone in reply to a comment. Browse through their activity and use the social network’s own search engine.
Here is an example with Twitter. Let’s say you’ve found the Twitter account of your target and would like to see if they have mentioned their email in a tweet at some point.
Using the built-in Advanced search tool, you can look for content associated with a particular user. To access the advanced search tool, just search for anything in the search bar. On the result page, go to the three dots on the right of the search bar and click on “Advanced Search”.
In the Words category, you can put “email” or even “gmail.com” or another email provider; there are different possibilities to do this (exact phrase, any of these words, etc.).
Scrolling down, you’ll get to the Account category; here, copy the Twitter handle of your target.
Depending on what you know about your target, you can even select other accounts if you think they may have provided that information to a particular person.
Run Twitter’s search engine, and voilà! You see all their tweets, replies and comments that include your search terms. In this case, the person did give their full email in reply to a comment:
- Do they appear on other websites (work, events, schools, etc.)?
Their work email address may simply be listed on the company’s website, but that is less and less the case. Oftentimes, however, people take part in events or conferences, and those event companies may unintentionally expose the email addresses of participants via a list of attendees in PDF file format. The same goes for schools listing graduates. If not properly secured, these files will show up in a Google search. You may have to search the file itself, as they tend to be voluminous.
If none of this yields any result, you’ll have to look a bit deeper.
Look inside their webpage
If your target has a website or a blog, you can try using the View Source Page tool in your browser. If you use Firefox or Chrome, you can find it in your browser’s menu, under “More tools”. This will allow you to inspect the html code of a webpage and look for clues. To make things quicker, you can search for “@” in the html code, and see if the person left an email address in there.
Search for leaked databases and Excel files with Google Dorking
You can use Google Dork operators and see if you can dig up a publicly available Excel file that contains your target’s address. This can also include databases from platforms that were hacked and published in the Deep Web and sometimes even find their way on the regular Internet. However, keep in mind that there are many files like this to search from, and it could take you quite some time to manually go through all of them.
Note: Conversely, if you have the email address but not the person’s name, you can enter it on HaveIBeenPwned and see if it has been leaked somewhere; then, search for that specific leaked database and see if you can find the person’s name in there.
Get up close and personal (HUMINT and social engineering)
If all else fails, the best and quickest way of retrieving someone’s email is simply to ask them.
Depending on the type of investigation you’re conducting, it’s also the riskiest, as it requires direct contact between you and the target, or at least someone close to them. This is why I’ve kept social engineering for the end, but in some context (pentesting comes to mind), you may want to try it first to assess how (un)ready a company is for this kind of attack.
For this to work, you will need to understand who your target is and how to approach them. The more difficult and unreachable your target, the more research you will need to do ahead.
Look at their social media and company website, but don’t stop there. Really explore their online presence to find out what they do, where they come from, and how they present themselves to the world. You’ll want to make sure that you have a good grasp of their character and can anticipate their reactions. For a simple request such as an email address, this should not take up too much of your time, but it’s a necessary step.
Once you’ve gathered enough intelligence, you need to create what social engineers call a “pretext”, which is basically the false identity you will assume to trick your target into revealing their information to you. Taking into account what you know about that person, adopt a salesman perspective, and try to figure out how you can best get them to seal the deal, aka give you the information you need. Is their company going through interviews at the moment? Have they moved to a new location? Are they taking part in a mentoring program? Have they signed up for an event? By cross-checking all the information you have, you can create a convincing pretext that will make sense and appeal to them both logically and emotionally.
When you are ready, make your move and establish rapport. This can mean connecting on social networks, or calling their office/home. Pay attention to details that could give you away (for example, don’t use British spelling if you’re pretending to be American) and make sure your pretext is believable. Once trust between you and your target is established, you can move on to the exploitation phase and request that email. If you get it, congratulations! But don’t hang up or close that chat window right away. You need to make a smooth and stealthy exit, so as not to raise alarms in your target’s mind… Ideally, they should even feel good about this!
Conclusion
In this article, we’ve seen what OSINT is, its basic techniques and tools, and how they can be used in many contexts by different parties to gain intelligence. The idea was to gently introduce you to the wonderful world of OSINT, and hopefully, help you gain some valuable investigative skills along the way. The next article will focus on what you can do to improve your digital privacy, and make yourself less of an easy target.
Meanwhile, keep practicing: have a go at the OhSINT room on TryHackMe and follow @quiztime on Twitter for daily OSINT challenges!
